Don’t Know About TLS? You, and Your Merchants, Soon Will

A July 1 PCI Security Standards Council deadline is prompting payments providers to act well before then, with many establishing their own compliance deadlines in February. What has provoked this eagerness? It could be that noncompliance with the PCI mandate could halt merchant transactions that rely on the Internet.

The PCI Council in 2015 issued a deadline to migrate from earlier forms of Internet security standards. These measures govern the cryptographic protocol when devices connect using the public Internet. Specifically, the PCI Council, which originally set a June 2016 deadline that was later moved to July 1, 2018, says Transport Layer Security 1.1 or higher is necessary for transactions to be compliant. Transactions made with Web browsers and many point-of-sale terminals using older versions of TLS or Secure Socket Layer technology will be out of compliance after that date.

Lachowicz: “The writing is on the wall for TLS 1.0.” (Image credit: Cayan)

Some merchants will have to update their Web sites to TLS 1.1 or higher, while others may need to update their POS terminals if these devices connect to the payments system using the public Internet. Some merchants may have to update the operating systems on computers running their POS software if the system does not support the newer cryptographic standard.

TLS is the newest encryption protocol of a specification originally developed by Netscape as Secure Socket Layer. The Internet Engineering Taskforce oversees the protocol.

Processor First Data Corp. set a Feb. 15 deadline for transactions using its Datawire service, a transport network that sends financial data over the public Internet from a merchant’s POS system to First Data. Datawire only will support TLS 1.2, the most recent version of the security protocol, beginning then. Merchants that have not upgraded will not be able to complete transactions using Datawire until they move to TLS 1.2, First Data says in a notice.

Others, such as Boston-based Cayan, are planning test periods prior to July 1 to incite merchant action.

Cayan, now a part of Total System Services Inc. (TSYS), has so-called brownouts planned beginning in April that will disable products using TLS 1.0. The hope is that merchants will call to find out what happened, says Dominic Lachowicz, Cayan vice president of engineering. “This is basically to test merchant awareness and readiness,” Lachowicz says.

“The writing is on the wall for TLS 1.0,” Lachowicz tells Digital Transactions News. Criminal enterprises, which have executed known exploits of earlier versions of TLS and SSL, can harness ever-increasing computing power to finds chinks in the security armor, he says.

He likens the current effort to the EMV migration. “Merchants, terminal manufacturers, merchant service providers, and gateways are making sure their systems are ready,” Lachowicz says.

At Cayan, he estimates approximately 40% of its merchants are at risk. Several months ago, it was 60%. Many of the 40% are Cayan’s larger merchants. “We will make a very strong push to that deadline,” he says.